Bug#785595: WebIDE downloads and launches adb binary without prompting; subsequently runs at Firefox startup

Josh Triplett josh at joshtriplett.org
Mon May 18 06:24:38 UTC 2015 

Package: iceweasel
Version: 38.0-2
Severity: grave
Tags: upstream

I opened up the developer menu in Firefox 38, and saw the new "WebIDE".
I opened that up to take a look at it, and then closed it, without
running anything else.

That action alone apparently caused Firefox to silently download the
"ADB Helper" and "Valence" extensions in the background (see extension
list below), install them without prompting, and run them.  That in turn
downloaded and ran a pre-compiled adb binary in the background (which
Firefox launches at startup).

While it's potentially acceptable to *optionally* install such
extensions on user request, or even prompt to install them, silently
doing so without user consent in response to opening WebIDE (and doing
absolutely nothing with it) is definitely not OK.

This is upstream bug
https://bugzilla.mozilla.org/show_bug.cgi?id=1114380

- Josh Triplett

-- Package-specific info:

-- Extensions information
Name: ADB Helper
Location: ${PROFILE_EXTENSIONS}/adbhelper at mozilla.org
Status: enabled

Name: Adblock Plus
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
Package: xul-ext-adblock-plus
Status: enabled

Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: HTTPS-Everywhere
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/https-everywhere at eff.org
Package: xul-ext-https-everywhere
Status: enabled

Name: It's All Text!
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/itsalltext at docwhat.gerf.org
Package: xul-ext-itsalltext
Status: enabled

Name: Valence
Location: ${PROFILE_EXTENSIONS}/fxdevtools-adapters at mozilla.org
Status: enabled

-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled

Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled


-- Addons package information
ii  gnome-shell    3.14.4-1     amd64        graphical shell for the GNOME des
ii  iceweasel      38.0-2       amd64        Web browser based on Firefox
ii  rhythmbox-plug 3.2.1-1      amd64        plugins for rhythmbox music playe
ii  xul-ext-adbloc 2.6.9+dfsg-2 all          advertisement blocking extension 
ii  xul-ext-https- 4.0.3-1      all          extension to force the use of HTT
ii  xul-ext-itsall 1.9.1-2      all          extension to edit textareas using

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.0.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages iceweasel depends on:
ii  debianutils               4.5
ii  fontconfig                2.11.0-6.3
ii  libasound2                1.0.28-1
ii  libatk1.0-0               2.16.0-2
ii  libc6                     2.19-18
ii  libcairo2                 1.14.2-2
ii  libdbus-1-3               1.8.18-1
ii  libdbus-glib-1-2          0.102-1
ii  libevent-2.0-5            2.0.21-stable-2
ii  libffi6                   3.1-2+b2
ii  libfontconfig1            2.11.0-6.3
ii  libfreetype6              2.5.2-4
ii  libgcc1                   1:5.1.1-5
ii  libgdk-pixbuf2.0-0        2.31.1-2+b1
ii  libglib2.0-0              2.44.0-3
ii  libgtk2.0-0               2.24.25-3
ii  libhunspell-1.3-0         1.3.3-3
ii  libnspr4                  2:4.10.8-1
ii  libnss3                   2:3.19-1
ii  libpango-1.0-0            1.36.8-3
ii  libsqlite3-0              3.8.10.1-1
ii  libstartup-notification0  0.12-4
ii  libstdc++6                5.1.1-5
ii  libvpx2                   1.4.0-3
ii  libx11-6                  2:1.6.3-1
ii  libxcomposite1            1:0.4.4-1
ii  libxdamage1               1:1.1.4-2+b1
ii  libxext6                  2:1.3.3-1
ii  libxfixes3                1:5.0.1-2+b2
ii  libxrender1               1:0.9.8-1+b1
ii  libxt6                    1:1.1.4-1+b1
ii  procps                    2:3.3.9-9
ii  zlib1g                    1:1.2.8.dfsg-2+b1

Versions of packages iceweasel recommends:
ii  gstreamer1.0-libav         1.4.4-2
ii  gstreamer1.0-plugins-good  1.4.5-2+b1

Versions of packages iceweasel suggests:
pn  fonts-mathjax          <none>
pn  fonts-oflb-asana-math  <none>
pn  fonts-stix | otf-stix  <none>
ii  libcanberra0           0.30-2.1
ii  libgnomeui-0           2.24.5-3
ii  libgssapi-krb5-2       1.12.1+dfsg-20
pn  mozplugger             <none>

-- no debconf information

More information about the pkg-mozilla-maintainers mailing list